[Samba] samba4 : [kerberos part kinit work but no kpasswd

MARTIN boris martin-boris at wanadoo.fr
Fri May 9 02:01:55 MDT 2014



i have recently installed a samba 4 in a DC role.

The distribution is a debian jessie/sid, the version of samba is 4.1.7.

The server is globally working but there is some litle trouble.

on the server itself, i can do a kinit without probleme but if i try a kpasswsd, i obtain the following


root at station:/var/log/samba# kinit
Password for administrator at TOTO.FR:

root at station:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at TOTO.FR

Valid starting       Expires              Service principal
09/05/2014 09:23:42  09/05/2014 19:23:42  krbtgt/TOTO.FR at TOTO.FR
    renew until 10/05/2014 09:23:38

root at station:/var/log/samba# kpasswd

[10 sec later ....]

kpasswd: Cannot contact any KDC for requested realm getting initial ticket



the smb.conf file is the following :


        workgroup = TOTO
        realm = TOTO.FR
        netbios name = station
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
        idmap_ldb:use rfc2307 = yes
        dns forwarder =
        allow dns updates = nonsecure
#       winbind rpc only = yes
        log level = 4
        ntp signd socket directory = /var/lib/samba/ntp_signd
        path = /var/lib/samba/sysvol/ietr.univ-rennes1.fr/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

        path = /share/demo
        read only = no


and the krb5.conf is the following :


    default = FILE:/var/log/krb5.log
        default_realm = TOTO.FR
        dns_lookup_realm = false
        dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des3-hmac-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5


      v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                plain = {
                        something = something-else
        fcc-mit-ticketflags = true

        IETR.UNIV-RENNES1.FR = {
                kdc = admin.toto.fr:88
                admin_server = admin.toto.fr


        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA
        .toto.fr= TOTO.FR

        krb4_convert = true
        krb4_get_tickets = false


the tcp dump for a failed attempt of kpasswd give the folllowing :


client -> station Kerberos AS-REQ

MSG Type : AS-REQ(10)

Server Name(principal): kadmin/changepw

Encryption type rc4-hmac


station-> client BER Error : Empty choice was found ...


and the log on the server side gives


 Kerberos: Failed to decrypt PA-DATA -- client$@TOTO.FR (enctype
 arcfour-hmac-md5) error Decrypt integrity check failed

 Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ


it seems to me like a crypting negociation failure between the client and the server, all the enctypes line in the krb5.conf was not there initialy and are a (fail) attempt to fix the trouble.


So my questions are :


- is there any way for me to know what kind of encoding samba4/kerberos expect on the server side ?

- what is the location of the credential for all the user on the server side ? are they stored in the ldap part of samba4 ?

- does any one see what i can do to fix this mess ?



best regards

More information about the samba mailing list